Working to keep your digital experiences secure

Posts tagged "pdf"

A white paper detailing the security features and architecture of core Adobe Document Cloud services is now available. The new Adobe Document Cloud combines a completely re-imagined Adobe Acrobat with the power of e-signatures. Now you can edit, sign, send and track documents wherever you are—across desktop, mobile and web. This paper covers the key regulations and standards Document Cloud adheres to, the security architecture of the offering, and describes its core capabilities for protecting sensitive information. You can download this paper now from adobe.com.

Now available for free on the Apple App Store and the Android Market, Adobe Reader 10.1 brings to your favorite mobile devices the same best-in-class PDF viewing experience you’re used to on the desktop. This latest release is our first for iOS devices, and shows Adobe’s commitment to provide the most compelling mobile experiences on the most popular platforms. With each new version, Adobe is bringing to mobile those capabilities that users on the go find most important, like text search, easy page navigation, bookmarks, and printing.

As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device. Continue reading…

If you have sensitive information you want to protect and distribute, PDF is a good option to consider. Adobe Reader could very well be the most widely distributed crypto-enabled application from any vendor, because Adobe has been including encryption since version 2.0 in 1994 – across numerous desktop and mobile platforms. So there’s a pretty good chance that your intended recipients will be able to open an encrypted PDF. Today in 2011, PDF supports the FIPS certified AES 256 algorithm and provides a number of advanced capabilities.

Another advantage of using the built in encryption of PDF is that it can be persistently integrated in the file – and not enveloped. This means that anywhere the file goes, independent of storage and transport, it stays protected. Common alternatives like PGP, ZIP, and S/MIME use enveloping encryption around content that gets discarded when the envelope is open – leaving the content unprotected, subject to accidental or malicious redistribution.

There are three main ways to encrypt a PDF file:

Password encryption

Public Key Infrastructure (PKI) encryption

Rights Management

Password encryption relies on a shared password between the publisher and all the recipients. The publisher selects a phrase like “No1Kn0w$” to encrypt the document, and the recipient uses the same to decrypt it. To mitigate brute force attacks as well as simple guessing of common passwords – be sure to use long complex passwords with multiple upper, lower, number, and symbol combinations. Remember to be creative, like song lyrics, poetry, and other long phrases as source material.

PKI encryption can provide greater protection by using additional cryptography and digital certificates. Each recipient has a keypair (up to RSA4096), and publishes their public key certificate. While encrypting, the publisher’s computer randomly generates a symmetric key(up to AES256), and encrypts that key to each recipient’s asymmetric public key to include in the document with the symmetric key encrypted content. In return, the recipient computer uses their own private key to decrypt the symmetric key, and then decrypt the document. When the private key is stored on a token, e.g. USB, CAC, PIV, eID – it can provide two factor security – requiring the token, and any PIN codes to unlock the token.

Rights Management was developed to provide integration into enterprise authentication (AuthN) and authorization (AuthZ) infrastructure without requiring PKI. A Rights Management server ties into LDAP, Active Directory (AD), or other user databases to identify the ecosystem of users sharing a document. Rights Management can also use those same directories to read in groups of users. An administrator can create a rights management “policy” which is an easily reusable way to protect documents in a certain way. The policy can define which users or groups can open the document, what they can do with the document, and track what they have done with the document. These can be internal or external users – whether employees, partners, or consumers. The publisher then selects the policy to protect a document. The recipient opens the document and the Acrobat/Reader client will call back to the server to authenticate them, then determine whether they are authorized to open the document. In addition to username/password types of authentication, the server can also support Kerberos single sign on (SSO),PKI authentication (which is different than PKI encryption above), OTP, and other custom methods. With Rights Management you can also expire, revoke, version control, watermark, and audit document usage, too. Rights Management is great for communities of users that have existing authentication and authorization systems in place – whether it’s secure information sharing, or electronic statements to consumers. In addition to PDF, Rights Management can also apply to native Office and CAD documents, too. Stay tuned for news on rights management capabilities being available on smartphone and tablet devices in Fall’11, too!

For all three encryption methods, it is also possible to restrict printing, clipboard, and modification after a protected document is opened.

Applying these encryption capabilities can be done ad-hoc on the desktop with Acrobat, as well as part of automated structured workflows on a server, too.

Redaction was in the news again today with two large organizations publishing documents that weren’t properly redacted. So we’d like to remind everyone that removing sensitive information from an electronic document is easy…

Jim King, PDF Architect, senior principal scientist at Adobe and one of the key drivers behind the PDF format and its adoption and continuing development by ISO as a standard (ISO 32000), recently delivered a keynote presentation to the ISSE (Information Security Solutions Europe) 2009 Conference in The Hague, Netherlands. He discussed the evolution of the PDF format and standard, and spent most of his talk introducing the new PAdES signature standard and what it encompasses.

During that conference, Jim sat down with Roger Dean, executive director of eema UK, for a conversation about PDF, the need for digital signatures, challenges of communicating the benefits of digital signatures, and finally a description of the PAdES standard. This interview is now available below (and here)…enjoy!